The following features are supported with and without the use of a Cisco IOS firewall image:

•Standard access lists and static extended access lists

•Lock-and-key (dynamic access lists)

•IP session filtering (reflexive access lists)

•TCP intercept

•Security server support

•Network address translation

•Neighbor router authentication

•Event logging

•User authentication and authorization

Note Catalyst 6500 series switches support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Catalyst 6500 series switches do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command.

Cisco IOS Firewall Guidelines and Restrictions

When configuring the Cisco IOS firewall features, follow these guidelines and restrictions:

•On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device. On Catalyst 6500 series switches, you must enter the mls ip inspect command to permit traffic through any ACLs that would deny the traffic through other ports. Refer to the "Additional CBAC Configuration" section for more information.

•Reflexive ACLs and CBAC have conflicting flow mask requirements. Reflexive ACLs are processed in software on the MSFC.

•CBAC is incompatible with VACLs. You can configure CBAC and VACLs on the switch but not in the same subnet (VLAN).

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip idsacl_name interface command, where acl_name is configured to select traffic for the IDSM.

•You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN interfaces.

•You cannot configure VACLs and CBAC on the same interface.

Additional CBAC Configuration

You need to do additional CBAC configuration on the Catalyst 6500 series switches. On a network device other than a Catalyst 6500 series switch, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same situation applies to any other port that the traffic needs to go through, as shown in this example:

Router(config)# ip inspect name permit_ftp ftp

Router(config)# interface vlan 100

Router(config-if)# ip inspect permit_ftp in

Router(config-if)# ip access-group deny_ftp_a in

Router(config-if)# ip access-group deny_ftp_b out

Router(config-if)# exit

Router(config)# interface vlan 200

Router(config-if)# ip access-group deny_ftp_c in

Router(config-if)# ip access-group deny_ftp_d out

Router(config-if)# exit

Router(config)# interface vlan 300

Router(config-if)# ip access-group deny_ftp_e in

Router(config-if)# ip access-group deny_ftp_f out

Router(config-if)# end

If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on VLAN 100 and needs to leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_e, and deny_ftp_f.

On a Catalyst 6500 series switch, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally only through the port configured with the ip inspect command. You must configure other ports with the mls ip inspect command.

If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC on a Catalyst 6500 series switch permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls ip inspect deny_ftp_d commands, as shown in this example:

The show fm insp [detail] command displays the list of ACLs and ports on which CBAC is configured and the status (ACTIVE or INACTIVE), as shown in this example:

Router# show fm insp

interface:Vlan305(in) status :ACTIVE

acl name:deny

interfaces:

Vlan305(out):status ACTIVE

On VLAN 305, inspection is active in the inbound direction and no ACL exists. ACL deny is applied on VLAN 305 in the outbound direction and inspection is active.

To display all of the flow information, use the detail keyword.

If a VACL is configured on the port before configuring CBAC, the status displayed is INACTIVE; otherwise, it is ACTIVE. If PFC resources are exhausted, the command displays the word "BRIDGE" followed by the number of currently active NetFlow requests that failed, which have been sent to the MSFC for processing.

Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page: